|
Home > Archive > IIS Server Security > September 2005 > Struggling to fix anonymous authentication problem
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Struggling to fix anonymous authentication problem
|
|
| Philip Colmer 2005-08-24, 2:49 am |
| I've got a member server running Windows Server 2003 SP1 with IIS 6. I've
installed WSUS and, like a lot of other people, the SelfUpdate tree isn't
working. The log says "The remote server returned an error: (401)
Unauthorized.".
I've run Authentication & Access Control Diagnostics 1.0 and it also says
that anonymous authentication returns "401 Unauthorised".
What is puzzling is that for the SelfUpdate tree, I've set the directory
security to JUST anonymous access and I can browse the page quite happily
using IE!
Can someone please suggest what steps I need to take to either resolve this
or pin down the cause of the problem?
Thanks.
--Philip
| |
| Ken Schaefer 2005-08-24, 2:49 am |
| When you are viewing the site in IE, what security zone is displayed down in
the bottom right hand corner? If it is Intranet, then if you go to Tools ->
Security -> Intranet zone -> custom level, and change the Automatic Logon
(it's the last option down the bottom) to Prompt, then restart IE and browse
the site, do you still get in automatically?
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Philip Colmer" <pcolmer@newsgroup.nospam> wrote in message
news:O7nX2lFqFHA.2240@tk2msftngp13.phx.gbl...
: I've got a member server running Windows Server 2003 SP1 with IIS 6. I've
: installed WSUS and, like a lot of other people, the SelfUpdate tree isn't
: working. The log says "The remote server returned an error: (401)
: Unauthorized.".
:
: I've run Authentication & Access Control Diagnostics 1.0 and it also says
: that anonymous authentication returns "401 Unauthorised".
:
: What is puzzling is that for the SelfUpdate tree, I've set the directory
: security to JUST anonymous access and I can browse the page quite happily
: using IE!
:
: Can someone please suggest what steps I need to take to either resolve
this
: or pin down the cause of the problem?
:
: Thanks.
:
: --Philip
:
:
| |
| Philip Colmer 2005-08-24, 2:49 am |
|
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uFK8OOHqFHA.644@TK2MSFTNGP10.phx.gbl...
> When you are viewing the site in IE, what security zone is displayed down
> in
> the bottom right hand corner? If it is Intranet, then if you go to
> Tools ->
> Security -> Intranet zone -> custom level, and change the Automatic Logon
> (it's the last option down the bottom) to Prompt, then restart IE and
> browse
> the site, do you still get in automatically?
>
> Cheers
> Ken
I've done as you've suggested and I still get in automatically.
--Philip
| |
| Wei-Dong XU [MSFT] 2005-08-24, 7:52 am |
| Hi Philip,
From my view, this 401 may be caused by the WSUS account with not enough
access right. So I'd suggest you could check the permission setting of WSUS
following this article.
http://wsusinfo.onsitechsolutions.com/articles/016.htm
Please feel free to let me know if you have any further question on this
matter.
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.
| |
| Philip Colmer 2005-08-30, 2:55 am |
| > From my view, this 401 may be caused by the WSUS account with not enough
> access right.
I didn't want to get too distracted by the WSUS aspect of it. As I had
mentioned earlier, I've used Microsoft's own Authentication & Access Control
Diagnostics tool and *that* is also complaining that anonymous access is
broken.
> So I'd suggest you could check the permission setting of WSUS
> following this article.
> http://wsusinfo.onsitechsolutions.com/articles/016.htm
I cannot get to that page for some reason. I'll try again from a different
Internet connection.
In the meantime, if you have any suggestions as to how I can troubleshoot
anonymous access, I'd appreciate it.
--Philip
| |
| Wei-Dong XU [MSFT] 2005-08-31, 2:52 am |
| Hi Philip,
Since IIS doesn't permit the anonymous access, I'd suggest please check the
IIS site to see whether any ISAPI Filter configured to deny the anonymous
access. We could find this from:
1. IIS site property window
2. click the tab "ISAPI Filter"
3. check whether any filter there. If found any, please check what
application installs them or set by the IIS admin and whether it will deny
the anonymous access.
Expect to your troubleshooting reesult!
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.
| |
| Philip Colmer 2005-08-31, 8:51 pm |
| There are no ISAPI filters listed.
Also please note that although the Authentication & Access Control tool says
that anonymous authentication doesn't work, it DOES appear to work through
IE.
I'm wondering if the diagnostics tool (and WSUS) are using some mechanism
for accessing the site that IE doesn't use and therefore is causing
something to happen with anonymous access?
--Philip
"Wei-Dong XU [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:OgXFugfrFHA.1208@TK2MSFTNGXA01.phx.gbl...
> Hi Philip,
>
> Since IIS doesn't permit the anonymous access, I'd suggest please check
> the
> IIS site to see whether any ISAPI Filter configured to deny the anonymous
> access. We could find this from:
> 1. IIS site property window
> 2. click the tab "ISAPI Filter"
> 3. check whether any filter there. If found any, please check what
> application installs them or set by the IIS admin and whether it will deny
> the anonymous access.
>
> Expect to your troubleshooting reesult!
>
> Best Regards,
> Wei-Dong XU
> Microsoft Product Support Services
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> It is my pleasure to be of assistance.
>
| |
| Wei-Dong XU [MSFT] 2005-09-01, 2:49 am |
| Hi Philip,
Currently based on the troubleshooting result, since IE could work well
anonymously, this issue should be located from WSUS side. There is one WSUS
deployment white paper from Microsoft. Please follow the troubleshooting
suggestion of this white paper to locate this problem:
Software Update Services Deployment White Paper
http://www.microsoft.com/windowsser...echinfo/previou
s/susdeployment.mspx
Please feel free to let me know if you have any further question on this
matter.
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.
| |
| Philip Colmer 2005-09-01, 7:51 am |
| That link is for SUS, not for WSUS.
Regards
Philip
"Wei-Dong XU [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
news:4LJmoDqrFHA.1204@TK2MSFTNGXA01.phx.gbl...
> Hi Philip,
>
> Currently based on the troubleshooting result, since IE could work well
> anonymously, this issue should be located from WSUS side. There is one
> WSUS
> deployment white paper from Microsoft. Please follow the troubleshooting
> suggestion of this white paper to locate this problem:
> Software Update Services Deployment White Paper
> http://www.microsoft.com/windowsser...echinfo/previou
> s/susdeployment.mspx
>
> Please feel free to let me know if you have any further question on this
> matter.
>
> Best Regards,
> Wei-Dong XU
> Microsoft Product Support Services
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> It is my pleasure to be of assistance.
>
| |
| Wei-Dong XU [MSFT] 2005-09-02, 2:54 am |
| Hi Philip,
Sorry for that wrong link! The WSUS opeation guide is available from this
link:
Microsoft Windows Server Update Services Operations Guide
http://www.microsoft.com/downloads/...CDB4-EF0B-4399-
8A71-9B3B00C4F4CD&displaylang=en
Furthermore, since this appears to be caused by WSUS, I'd suggset you could
also post this one at WSUS newsgroup. The WSUS community may be more
helpful on this issue for you.
microsoft.public.windows.server.update_services
Please feel free to let me know if you have any further question on this
matter.
Best Regards,
Wei-Dong XU
Microsoft Product Support Services
This posting is provided "AS IS" with no warranties, and confers no rights.
It is my pleasure to be of assistance.
| |
| Ken Schaefer 2005-09-07, 7:49 am |
| Are you sure the access is anonymous? Can you post the corresponding IIS log
file entries when IE is accessing the site?
IE does have an "auto logon" function for sites in the Intranet zone, so it
may appear that you do not need to enter credentials, but under the covers
IE may be sending your credentials transparently to the server...
Cheers
Ken
--
IIS Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"Philip Colmer" <pcolmer@newsgroup.nospam> wrote in message
news:ugKjxeprFHA.3096@TK2MSFTNGP15.phx.gbl...
: There are no ISAPI filters listed.
:
: Also please note that although the Authentication & Access Control tool
says
: that anonymous authentication doesn't work, it DOES appear to work through
: IE.
:
: I'm wondering if the diagnostics tool (and WSUS) are using some mechanism
: for accessing the site that IE doesn't use and therefore is causing
: something to happen with anonymous access?
:
: --Philip
:
: "Wei-Dong XU [MSFT]" <v-wdxu@online.microsoft.com> wrote in message
: news:OgXFugfrFHA.1208@TK2MSFTNGXA01.phx.gbl...
: > Hi Philip,
: >
: > Since IIS doesn't permit the anonymous access, I'd suggest please check
: > the
: > IIS site to see whether any ISAPI Filter configured to deny the
anonymous
: > access. We could find this from:
: > 1. IIS site property window
: > 2. click the tab "ISAPI Filter"
: > 3. check whether any filter there. If found any, please check what
: > application installs them or set by the IIS admin and whether it will
deny
: > the anonymous access.
: >
: > Expect to your troubleshooting reesult!
: >
: > Best Regards,
: > Wei-Dong XU
: > Microsoft Product Support Services
: > This posting is provided "AS IS" with no warranties, and confers no
: > rights.
: > It is my pleasure to be of assistance.
: >
:
:
| |
| Philip Colmer 2005-09-12, 6:13 pm |
|
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:uBAItO5sFHA.3596@TK2MSFTNGP15.phx.gbl...
> Are you sure the access is anonymous? Can you post the corresponding IIS
> log
> file entries when IE is accessing the site?
2005-09-12 14:11:18 10.1.0.29 GET /selfupdate - 80 - 10.1.2.251
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
301 0 0
2005-09-12 14:11:19 10.1.0.29 GET /selfupdate/ - 80 - 10.1.2.251
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
200 0 0
> IE does have an "auto logon" function for sites in the Intranet zone, so
> it
> may appear that you do not need to enter credentials, but under the covers
> IE may be sending your credentials transparently to the server...
I followed your instructions to reconfigure my browser so that it didn't do
that. Also, I have actually configured the selfupdate directory so that ONLY
anonymous access is permitted.
--Philip
|
|
|
|
|